search

splunk / attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Apache License 2.0
2.09k stars 352 forks source link

Remove fixed IPs from the Ansible and Terraform. Add additional endpoint agents (XDR, AMP). Add Nessus agent. #932

Closed cudgel closed 3 weeks ago

cudgel commented 4 weeks ago

move all IPs to config, add ability to install apps from a private s3 bucket, add support for installing Tenable Nessus Agent, Palo Alto Cortex XDR, and Cisco Secure Endpoint. Remove deprecated language. Fix Ansible templates where variable interpolation was failing due to wrong quotes.

P4T12ICK commented 4 weeks ago

Thank you very much for this massive PR. Give me a little bit of time to review it.

cudgel commented 4 weeks ago

I have another one to follow that adds vulnerable LAMP stack with optional ALB and Splunk Edge Processor with optional NLB but I thought I would break it into smaller pieces. ;)

P4T12ICK commented 3 weeks ago

this code is already part of this PR. I need to spend some time on the code that as most features as possible also works for Azure and local. in the future it is a lot easier to review and merge when it is small PRs like one for Cisco AMP, one for configurable ip adresses and so on.

P4T12ICK commented 3 weeks ago

I will create new branches and PRs for every feature which you developed and test them. I can't promise that we can merge everything but I will do my best.

cudgel commented 3 weeks ago

LOL, it shows I need more practice at pull requests. I had to re-add all of my changes at once because the develop branch was significantly refactored right as I published by branch in my fork. So I re-synced develop and tried to merge a subset of the changes into develop. With mixed results it seems. Well, I have now fully merged my branch into the develop branch in my fork. Let me explain my use case.

Deploying in a test AWS LZA environment with no default VPC. Multiple AZs so I had to be able to specify subnets that were in AZs that had required instance types. I am using a hybrid byo-Splunk environment - the Splunk server forwards to Splunk Cloud as does the Firehose, but you could configure a HEC endpoint on the Attack Range Splunk instance.

At the same time, I wanted to be able to test additional endpoint products side by side in the environment. Here is the working yaml I am using in my development environment:

general:
  cloud_provider: aws
  name_prefix: "ar"
  attack_range_name: "csm"
  attack_range_password: XXXXXXXXXXXXXXXXXXX
  key_name: XXXXXXXXXX
  ip_whitelist: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  use_elastic_ips: "0"
  cisco_amp_ubuntu_agent: XXXXXXXXXXXXXXXXXX_ubuntu-20-04-amd64.deb
  cisco_amp_windows_agent: XXXXXXXXXXXXXXXXXX.exe
  cortex_xdr_windows_agent: XXXXXXXXXXXX_x64.msi
  cortex_xdr_ubuntu_agent: XXXXXXXXXXXX.deb
  nessus_agent: "1"
  nessus_agent_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  nessus_ubuntu_agent: XXXXXXXXXXXXXXXX_amd64.deb
  dns_zone: "attackrange.local"
  domain: "www.attackrange.local"

aws:
  private_key_path: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  region: us-east-1
  use_elastic_ips: "0"
  use_remote_state: "1"
  tf_remote_state_s3_bucket: "XXXXXXXXXXXXXXXXXXXXXX"
  tf_remote_state_dynamo_db_table: "XXXXXXXXXXXXXXXXXXXXXX"
  vpc_id: "vpc-XXXXXXXXXXXXXXXXX"
  public_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
  alt_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
  private_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
  network_prefix: "10.0.76"
  network_cidr: "10.0.76.160/27"
  first_dynamic_ip: "185"
  bastion_host_ip: 10.0.76.178

windows_servers:
  - hostname: ar-win-dc
    create_domain: "1"
    install_red_team_tools: "1"
    install_cortex_xdr: "1"
    bad_blood: "1"
  - hostname: ar-win-1
    join_domain: "1"
    install_red_team_tools: "1"
    install_cortex_xdr: "1"
  - hostname: ar-win-2
    join_domain: "1"
    install_red_team_tools: "1"
    install_cisco_amp: "1"

linux_servers:
  - hostname: ar-linux-1
    install_red_team_tools: "1"
    install_cortex_xdr: "1"
  - hostname: ar-linux-2
    install_red_team_tools: "1"
    install_cisco_amp: "1"

kali_server:
  kali_server: "1"
  kali_server_ip: "10.0.76.183"

zeek_server:
  zeek_server: "1"
  zeek_server_ip: "10.0.76.182"

snort_server:
  snort_server: "1"
  snort_server_ip: "10.0.76.184"

splunk_server:
  splunk_server: "1"
  splunk_server_ip: "10.0.76.181"
  s3_bucket_url: "XXXXXXXXXXXXXXXXXXX"
  s3_bucket_prefix: "attack_range"
  splunk_apps:
    - ar_forwarder.tgz
    - DA-ESS-ContentUpdate-latest.tar.gz
    - TA-aurora-0.2.0.tar.gz
    - TA-osquery.tar.gz
    - app-for-circleci_011.tgz
    - phantom-app-for-splunk_4035.tgz
    - palo-alto-networks-add-on-for-splunk_813.tgz
    - punchcard-custom-visualization_150.tgz
    - python-for-scientific-computing-for-linux-64-bit_420.tgz
    - snort-alert-for-splunk_111.tgz
    - splunk-add-on-for-amazon-web-services-aws_760.tgz
    - splunk-add-on-for-carbon-black_210.tgz
    - splunk-add-on-for-crowdstrike-fdr_200.tgz
    - splunk-add-on-for-github_300.tgz
    - splunk-add-on-for-google-workspace_281.tgz
    - splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz
    - splunk-add-on-for-microsoft-cloud-services_530.tgz
    - splunk-add-on-for-microsoft-office-365_451.tgz
    - splunk-add-on-for-microsoft-windows_880.tgz
    - splunk-add-on-for-nginx_322.tgz
    - splunk-add-on-for-sysmon-for-linux_100.tgz
    - splunk-add-on-for-sysmon_400.tgz
    - splunk-add-on-for-unix-and-linux_910.tgz
    - splunk-app-for-stream_813.tgz
    - splunk-common-information-model-cim_532.tgz
    - splunk-es-content-update_4390.tgz
    - splunk-machine-learning-toolkit_541.tgz
    - splunk-sankey-diagram-custom-visualization_160.tgz
    - splunk-security-essentials_380.tgz
    - splunk-timeline-custom-visualization_162.tgz
    - splunk_attack_range_reporting-1.0.9.tar.gz
    - status-indicator-custom-visualization_150.tgz
    - ta-for-zeek_108.tgz
    - vmware-carbon-black-cloud_115.tgz

  # List of Splunk Apps to install on the Splunk Server

edge_processor:
  edge_processor: "1"
  use_nlb: "1"
  splunk_edge_url: "https://beam.scs.splunk.com/splunk-edge/XXXXXXXXXXXXXXXXXXX/linux/splunk-edge.tar.gz"
  splunk_edge_tenant: "XXXXXXXXXXX"
  splunk_edge_env: "production"
  splunk_edge_gid: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  splunk_edge_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

httpd_server:
  httpd_server: "1"
  use_alb: "1"
  install_lamp: "1"
  install_modsec: "1"
  install_dvwa: "1"
  install_mutillidae: "1"
  install_sqli: "1"

waf:
  waf: "1"
  splunk_hec_endpoint: "https://http-inputs-firehose-XXXXXXXXX.splunkcloud.com:443"
  splunk_hec_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
P4T12ICK commented 3 weeks ago

Thank you very much. I already started a new branch which integrates Cisco AMP / Cisco Secure Endpoint with your changes. I also want to add that the logging is forwarded to Splunk. I will let you know when it is done.

P4T12ICK commented 1 week ago

I started to merged in the first PR with contribution from you with Cisco Secure Endpoint. I added you to the contributors. Thank you.